Prism. That’s the new buzzword out there for the infringement of your privacy when it comes to cellphones. If you think Verizon is the only carrier that a government has its nose in, I’d suggest that you are a little naive. With the Prism-Verizon scandal, what allegedly has been happening is that the United States of America’s National Security Agency (NSA) has been data mining.

That is, they have been going through the call records of Verizon’s approximately 99 million users looking for, well, anything! The call records don’t include the conversations themselves, but data such as phone numbers dialed, time and date of call, and duration of call. But if I’ve learned anything from Gene Hackman movies and Wired Magazine, it’s that when it looks like the government has a toe over the privacy line, they’ve really actually driven a white van across it and camped out in your backyard a long, long time ago.

Today, I’m going to show you a few things you can do to make that information a bit more secure.

How to Encrypt Smartphone Data

If you don’t at least have a PIN number that you have to enter to access your phone, you really need to do that right now. You can do it with either a PIN, pass phrase, swipe pattern, or even face and voice recognition. Any of these is better than none of these. You may also want to take any lock screen widgets off as well. These can reveal what town you live in, or maybe even what stocks you are following. Go ahead, set it up, I’ll be here when you get back.

What can you tell for certain about me from my lock screen now? That Telus is my service provider, so I’m probably in Canada. That’s it. Everything else is common information such as the date and time, and temperature. That tip alone could save you from prying questions of overly-observant shoulder surfers. “Say, I see you work in IT too!”, “Is that your little girl? What’s her name?” Creepy questions, when asked by creepy people.

Encryption is The Key

To really secure your information, you need to use some sort of encryption. By encrypting the data on your phone, even if someone gets past your lock screen, whatever else is on the phone is pretty much useless to them. Unless they have a lot of time and the right skill set, of course.

Whether you have an iPhone, Android, or Windows phone, you should encrypt most, if not all, the data that is on the phone. Let’s take a look at how the different phones allow you to encrypt your personal information.

Android Encryption

Go into the Settings screen and scroll down until you find the Security tab. Click on that and you’ll see a couple encryption choices. To encrypt the entire device, click on Encrypt device. What this will do is encrypt all of your data, and you’ll need to enter your password to decrypt it every time you turn your phone on. This process can take quite awhile, somewhere around an hour, depending on how much data you have to encrypt. This process requires a 6 character password with at least 1 number.

It’s important that the Galaxy Nexus user manual notes that, “If you already set up a screen lock, you must use the same PIN or password. You can’t have two PINs or passwords.” If my permutations math is worth a damn at all that’s more than 371,993,326,789,901,217,467,999,448,150,835,200,000,000 permutations. That’s a lot. Like, more than a bunch.

Okay, I used a calculator.

If you are using an external SD card to store sensitive data, you can choose the Encrypt external SD card option on the Security screen. There are some options when encrypting an SD card – you can either encrypt the entire card, or only new files that you are adding to the card from this point in time onward. Again, it uses a password to decrypt the files. Just like the device encryption, it’s a 6 character password with at least 1 number.

iPhone Encryption

The process for encrypting the data on your iPhone is absurdly simple, at least in iOS 6.1. All you have to do is set a passcode to access your phone when you turn it on. The catch is that only iMessages, mail messages, and attachments stored on the iPhone and some apps available from the App Store may use the data protection. That’s according to the iPhone iOS 6.1 manual. If someone attempts to figure out your passcode, after 10 failed attempts, your encryption key, and therefore your data, is erased provided you’ve enabled the Erase Data setting in Settings > General > Passcode Lock.

When you back up your iPhone to your computer via the iTunes application, you can encrypt all your phone data that is backed up. This is a good idea as well.

Windows Phone Encryption

It seems that Microsoft has caused a lot of confusion for Windows 8 phone users, when it comes to encrypting their phones. According to the Windows 8 How-To page, “Other security features, such as device encryption, can be turned on by your employer via a company policy.” I haven’t priced out Exchange Server lately, but most non-corporate users of a Windows phone are not going to buy it. There also seems to be a lot of confusion about whether the feature can be turned on if you have an Office 365 subscription. I chatted with a Microsoft rep, and their response was that I would need the Exchange Online Plan 1, at $4.99/month.

Even then, if you look at the transcript of the conversation, I don’t think they were too sure this would work either.

The Take Away

Is the government going to be snooping through the files on your phone? Most likely, no. Should you encrypt the contents of your smartphone anyway? Yes, there are lots of two-legged rats willing to crawl all over your phone for any tidbit that can profit them. Which phone seems to do the best job of encrypting data? I’d have to say that the Android phone does, since it is the only one that natively can encrypt the entire contents of your phone, with the iPhone just behind it, and Windows Phone coming in a distant third. Really distant. More of a no-show, really.

Is your smartphone encrypted? Did you use a third-party application to do it, or just what the phone came with? Has it made it difficult to use your phone at all? Do you think it’s necessary to encrypt your phone? Why don’t we talk about it, unencrypted of course, in our completely unsecured comments below.

If they have your password to log on to your phone, then yes, they would be able to read text messages, look at pictures, etc. That's why PIN and password protection is an integral part of encryption and security.

I have read articles similar to this with regards to encrypted hard drives. It's a pretty tricky process that requires you to have your hands on the phone. Encryption still provides reasonable security against attacks over a network. If your phone gets stolen, then they have as long as they want to decrypt it. Most phone-stealers won't even bother unless you're a super spy and they are an evil villain.

One question that I have is this: On an Android phone, if you decide to turn off the encryption (for whatever reason), is it a painless process, or do you risk losing the data? Mainly, I would think that someone would want to turn the encryption off (at least on their SD Card) if they're transferring everything to a new phone.

This comes from the Encrypt phone instructions on android phones. Well at least a CM10 ROM, not a 100% sure if that changes on different ROMs or being unrooted. But I would assume this is a base android function.

Unfortunately Google won't protect your phone from the government if it want to break your encryption, it will just reset your password. Apple is slightly better in that it will just crack your password, but if you've got a sufficiently long passphrase, which means more than 8 characters it will be difficult currently for them to break. Once on your phone you can use something like RedPhone or SecureText to encrypt your actual communication and Obscuracam to obscure pictures. I'm not paranoid though, I swear. Then again, I'm not all that hard to find online.

A day to crack encryption? Not unless you had a really weak password(which honestly is a problem) or more powerful computers, which thankfully are constrained by costs. Encryption does work wonders. You're correct though, most users would do perfectly well to start with the security features you list, I think your tag line referencing PRISM is what makes me sad about Google. I'm just bummed there isn't a better kind of whole device encryption which won't/can't roll over, like TrueCrypt but for the Android device. Whisper systems were working on something until they were bought by Twitter, but at least they open sourced the programs I listed above and there are still folder level encryption softwares out there. Great article though.

Yep, a day to crack, "If you had all the resources that a G20 country has at their disposal..." I'm guessing you missed that part. You do realize that communications between countries are monitored, and therefore already cracked, on a daily basis. All of these with far greater encryption methods than what Betty Facebook is using on her iDevice when she buys a $400 snot-rag-bag. (Really folks, that's all a Coach bag really is.)

I'm really snarky after 10:00 p.m. Sorry 'bout that.

TechnoAngina

June 19, 2013 at 5:49 am

Hey thanks for humoring me here, I must be getting something confused, because everything I've researched on it says the exact opposite. I'd be really interested in getting pointed towards what kind of cracking techniques they could be using. Weak passwords I can see, but how exactly do they break AES or other end to end encryption schemes? See the links below to see what I'm referring to, maybe we're talking about two entirely different things?(Not being snarky, it's 1:47AM, no energy to do so)

Here's where we encounter a problem and enter a territory that simply isn't documented, or really talked about.

Why would any agency say that they can crack, say, AES quickly and reliably? That would send the private sector reeling. It would send those bad guys that are depending on AES scrambling for something else. If you were a theif and knew the combination to the banks safe, would you tell them?

Once the algorithm is developed and tested, time to implement the algorithm goes down dramatically. Then take a look at the kind of data centers the U.S. gov't has at its disposal, and are currently building - far greater than 21 computers with 252 cores. Each additional core and computer drops the time significantly again.

Personally, I believe that there are a lot of gov't placed back doors and keys. Of course, no one is going to advertise that fact - that would defeat the purpose.

I'm not saying encryption is worthless, I'm saying it's not perfect security. It is reasonable security.

Guy McDowell

June 19, 2013 at 12:55 pm

Here's an oversimplification of what it would take to crack 256-bit AES Encryption...

Browsers like Firefox may not use encrypted packets (not by default, anyway), however there is one boon. Since I know that Firefox uses one-way encryption to store passwords, even on a decrypted device these should be irrecoverable, even though the NSA has access to most every algorithm approved for commercial use.

And, "Just because you're paranoid, doesn't mean they're not out to get you."
At least that's what a retired engineer friend of mine says.

“If you already set up a screen lock, you must use the same PIN or password. You can’t have two PINs or passwords.”

Does this apply to devices other than Galaxy Nexus? Does it mean that I must use a PIN or password and cannot use a "pattern" screen lock? And what's the difference between a PIN and password anyway? Is one more secure than the other?

Since I have a phone running Ice Cream Sandwich, please allow me to fill in.
In Settings?Security, the phone encryption option requires you to enter a password "of at least six characters, including at least one number", so this is not the same as the screenlock pin. I would also point out that there is an option (at least in my case) to leave multimedia files on the SD CARD ONLY unencrypted. This might be handy for faster access and backup, but since we're on the topic of privacy, I doubt anyone wants to leave open the possibility of a street rat or gov't. agency seeing images of their family, close friends, or co-workers.

Y'know, now that you say that, it makes me realize that Google is using the acronym PIN incorrectly.

That's interesting about the 'multimedia files on SD card only' unencrypted option. You'd think that they'd have just the two options of 'encrypt SD card' or 'leave SD card unencrypted'. Either way, I agree that it's best to encrypt the whole damn thing.

Curious

August 8, 2013 at 3:39 pm

Guy: What is the most commonly used encryption algorithm on mobile phones? Is the algorithm compliant with FIPS AES128 at the very least? Thanks.

With 20+ years of experience in IT, training, and technical trades, it is my desire to share what I've learned with anyone else willing to learn. I strive to do the best job possible in the best manner possible, and with a little humour. Keep in touch: Twitter - Facebook…